Cryptography V: Message Authentication, Hash Functions, Digital Signatures

Message Authentication

Message authentication aims to:
- Protect the integrity of a message.
- Validate the originator's identity.
- Ensure non-repudiation of origin for dispute resolution.
Security requirements are considered.
Three alternative functions are used:
- Message encryption
- Message Authentication Code (MAC)
- Hash function

Message Encryption

Message encryption provides a level of authentication.
With symmetric encryption:
- The receiver knows the sender created the message because only they share the key.
- The content is protected from alteration since only sender and receiver know the key used.
- Changes can be detected via message structure, redundancy, or checksum.
With public-key encryption:
- Encryption alone doesn't guarantee sender identity since anyone can know public-key.
- If the sender signs the message with their private key and then encrypts it with recipient’s public key:
  - Secrecy and authentication are both achieved.
  - Corrupted messages must still be recognized.
  - Incurs the overhead of two public-key operations.
Symmetric encryption provides confidentiality and authentication: $E(K,M)$ and $D(K,M)$ .
Public-key encryption provides confidentiality: $E(PUb, M)$ and $D(PRb, M)$ .
Public-key encryption provides authentication and signature: $E(PRa, M)$ and $D(PUa, M)$ .
Public-key encryption provides confidentiality, authentication, and signature: $E(PUb, E(PRa, M))$ and $D(PRb, E(PUa, M))$ .

Message Authentication Code (MAC)

A MAC is generated by an algorithm.
- Creates a small, fixed-size block.
- Depends on both the message and a secret key.
- Similar to encryption, but not necessarily reversible.
The MAC is appended to the message as a signature.
The receiver performs the same computation and verifies the MAC.
Assures that the message is unaltered and from the sender.
MAC provides confidentiality: $C(K,M)$ .
Message authentication and confidentiality tied to plaintext: $E(K2, [M || C(K1, M)])$ .
Message authentication and confidentiality tied to ciphertext: $E(K_2, M)$ .

MAC (cont.)

As shown the MAC provides confidentiality
Encryption can be used for secrecy.
- Separate keys are generally used for MAC and encryption.
- MAC can be computed before or after encryption, but before is generally preferred.
Reasons to use a MAC:
- Sometimes, only authentication is required.
- Authentication may need to persist longer than encryption (e.g., archival).
A MAC is distinct from a digital signature.

MAC Properties

A MAC is a cryptographic checksum: $MAC = C_K(M)$
- Condenses a variable-length message $M$ .
- Uses a secret key $K$ .
- Results in a fixed-size authenticator.
It's a many-to-one function.
- Multiple messages can have the same MAC.
- Finding these messages should be computationally difficult.

Requirements for MAC

Based on the types of attacks, the MAC should:
1. Given a message and its MAC, it should be infeasible to find another message with the same MAC.
2. MACs should be uniformly distributed.
3. The MAC should depend equally on all bits of the message.

Using Symmetric Cipher for MAC

Any block cipher chaining mode can be used with the final block as a MAC.
The Data Authentication Algorithm (DAA) was a widely used MAC based on DES-CBC.
- Used IV=0 (64 bits of zero since DES is used) and zero-padding of the final block.
- Encrypt the message using DES in CBC mode.
- Send the final block as the MAC.
- Or the leftmost M bits ( $16 \leq M \leq 64$ ) of the final block.
However, the final MAC is now too small for security.

Hash Functions

Condenses an arbitrary message to a fixed size: $h = H(M)$ .
The hash function is generally public and unkeyed (unlike MACs).
Hashes are used to detect message changes.
Can be used in various ways with a message.
Most often used to create a digital signature.
Hash function usage:
- Message and Hash: $M$ and $H(M)$ .
- Encrypted Message and Hash: $E(K, [M || H(M)])$ .
- Encrypted Hash: $E(K, H(M))$ .
- Digital Signature: $E(PR_a, H(M))$ .
- Encrypted Message with Digital Signature: $E(K, [M || E(PR_a, H(M))])$ .

Requirements for Hash Functions

Can be applied to any sized message M.
Produces fixed-length output h.
Is easy to compute $h=H(M)$ for any message M.
Given h is infeasible to find x s.t. $H(x)=h$ (one-way property).
Given x is infeasible to find y s.t. $H(y)=H(x)$ (weak collision resistance).
Is infeasible to find any x,y s.t. $H(y)=H(x)$ (strong collision resistance).

Avalanche Effect

Small changes to the input drastically change the output hash.
This makes hash functions very sensitive to changes in input.
Example:
- Input: "The red fox jumps over the blue dog" produces dramatically different hash value than "The red fox jumps ouer the blue dog"

Simple Hash Functions

Several proposals exist for simple hash functions.
Based on XOR of message blocks.
Not secure because one can manipulate a message without changing the hash, or predictably change the hash.
A stronger cryptographic function is needed.

Birthday Attacks

A 64-bit hash is not secure due to the Birthday Paradox.
Birthday attack process:
1. The opponent generates $2^{m/2}$ variations of a valid message with essentially the same meaning.
2. The opponent generates $2^{m/2}$ variations of a desired fraudulent message.
3. The two sets of messages are compared to find a pair with the same hash (probability > 0.5 by birthday paradox).
4. The user signs the valid message, then the forgery is substituted which has a valid signature.
Conclusion: larger MACs are needed.

Block Ciphers as Hash Functions

Block ciphers can be used as hash functions.
- Using $H_0 = 0$ and zero-padding of the final block.
- Compute: $Hi = E{Mi}[H{i-1}]$ .
- Use the final block as the hash value.
- Similar to CBC but without a key.
The resulting hash is too small (64-bit).
- Due to the direct birthday attack.
- And to the "meet-in-the-middle" attack.
Other variants are also susceptible to attack.

Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993.
Revised in 1995 as SHA-1.
US standard for use with DSA digital signature scheme.
- Standard is FIPS 180-1 1995, also Internet RFC3174.
- The algorithm is SHA, the standard is SHS.
Based on the design of MD4 with key differences.
Produces 160-bit hash values.
2005 results on SHA-1 security raised concerns about future use.

Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002.
Adds 3 additional versions of SHA:
- SHA-256, SHA-384, SHA-512.
Designed for compatibility with increased security provided by the AES cipher.
Structure & detail is similar to SHA-1.
Analysis should be similar.
Security levels are higher.

SHA-3

SHA-1 has not yet been "broken".
No one has demonstrated technique for producing collisions in a practical amount of time.
Considered to be insecure and has been phased out for SHA-2
NIST announced in 2007 a competition for the SHA-3 next generation NIST hash function
- Winning design was announced by NIST in October 2012
- SHA-3 is a cryptographic hash function that is intended to complement SHA-2 as the approved standard for a wide range of applications
SHA-2 shares the same structure and mathematical operations as its predecessors so this is a cause for concern
Because it will take years to find a suitable replacement for SHA-2 should it become vulnerable, NIST decided to begin the process of developing a new hash standard

The Sponge Construction

Underlying structure of SHA-3 is a scheme referred to by its designers as a sponge construction
Takes an input message and partitions it into fixed-size blocks
Each block is processed in turn with the output of each iteration fed into the next iteration, finally producing an output block
The sponge function is defined by three parameters:
- f = the internal function used to process each input block
- r = the size in bits of the input blocks, called the bitrate
- pad = the padding algorithm
https://csrc.nist.gov/projects/hash-functions/sha-3-project

Hash Algorithms

Name	Output size (bits)	Rounds	Security
MD5	128	64	Broken (Collision attack)
SHA-1	160	80	Theoretically vulnerable
RIPEMD-160	160	80	Used in Bitcoin
Whirlpool	512	10	Based on AES
SHA-2	224,256,384,512	64,80	Some theories, considered safe
BLAKE2	256,512	10,12	Secure, relatively untested
SHA-3 (Keccak)	224,256,384,512	24	Based on ChaCha Stream Cipher
BLAKE3	256 but extensible	7	Very new, fast

Digital Signatures

Message authentication doesn't address issues of trust.
Digital signatures provide the ability to:
- Verify author, date & time of signature.
- Authenticate message contents.
- Be verified by third parties to resolve disputes.
Combine authentication with additional capabilities.

Digital Signature Properties

Must depend on the message signed.
Must use information unique to the sender to prevent forgery and denial.
Must be relatively easy to produce.
Must be relatively easy to recognize & verify.
Be computationally infeasible to forge
- With new message for existing digital signature
- With fraudulent digital signature for given message
Be practical to save digital signature in storage

Direct Digital Signatures

Involve only the sender & receiver.
Assume the receiver has the sender’s public key.
The digital signature is made by the sender signing the entire message or hash with their private key.
Can encrypt using the recipient’s public key.
Important to sign first, then encrypt the message & signature.
Security depends on the sender’s private key.

ElGamal Digital Signature

A signature variant of ElGamal, related to Diffie-Hellman.
- Uses exponentiation in a finite (Galois) field.
- Security based on the difficulty of computing discrete logarithms, as in D-H.
Uses the private key for encryption (signing).
Uses the public key for decryption (verification).
Each user (e.g., Alice) generates their key.
- Chooses a secret key (number): 1 < x_A < q-1.
- Compute their public key: $yA = a^{xA} \mod q$ .

ElGamal Digital Signature

Alice signs a message $M$ to Bob by computing
- The hash $m = H(M)$ , 0 <= m <= (q-1)
- Chose random integer $K$ with 1 <= K <= (q-1) and $GCD(K,q-1)=1$
- Compute temporary key: $S1 = a^k \mod q$
- Compute $K^{-1} \mod (q-1)$
- Compute the value: $S2 = K^{-1}(m-x_A S1) \mod (q-1)$
- signature is: $(S1,S2)$
Bob can verify the signature by computing
- $V1 = a^m \mod q$
- $V2 = y_A^{S1} S1^{S2} \mod q$
- signature is valid if $V1 = V2$

ElGamal Signature Example

Use field GF(19) q=19 and a=10
Alice computes her key:
- A chooses xA=16 & computes $y_A=10^{16} \mod 19 = 4$
Alice signs message with hash m=14:
- choosing random K=5 which has gcd(18,5)=1
- computing $S1 = 10^5 \mod 19 = 3$
- finding $K^{-1} \mod (q-1) = 5^{-1} \mod 18 = 11$
- computing $S2 = 11(14-16*3) \mod 18 = 4$
Bob can verify the signature by computing
- $V1 = 10^{14} \mod 19 = 16$
- $V2 = 4^3*3^4 = 5184 = 16 \mod 19$
- since 16 = 16 signature is valid

Digital Signature Standard (DSS)

US Govt approved signature scheme
designed by NIST & NSA in early 90's
published as FIPS-186 in 1991
revised in 1993, 1996 & then 2000
uses the SHA hash algorithm
DSS is the standard, DSA was the algorithm
The latest version, FIPS 186-5 (2020) also incorporates digital signature algorithms based on RSA and elliptic curve cryptography
- DSA is only used for verification

Digital Signature Algorithm (DSA)

creates a 320 bit signature
with 512-1024 bit security
smaller and faster than RSA
a digital signature scheme only
security depends on difficulty of computing discrete logarithms

Two Approaches to Digital Signatures

RSA Approach: $E(PRa, H(M))$ and $PUa$ .
DSA Approach: $H(M)$ , $PU_a$ .

DSA Key Generation

have shared global public key values (p,q,g):
- a large prime $p = 2^L$
  - where L= 512 to 1024 bits and is a multiple of 64
- choose q, a 160 bit prime factor of p-1
- choose $g = h^{(p-1)/q}$
  - where h
users choose private & compute public key:
- choose x<q
- compute $y = g^x (\mod p)$

DSA Signature Creation

to sign a message M the sender:
- generates a random signature key k, k<q
 - nb. k must be random, be destroyed after use, and never be reused
- then computes signature pair:
 - $r = (g^k \mod p) \mod q$
 - $s = (k^{-1} \cdot SHA(M)+ x \cdot r) \mod q$
sends signature (r,s) with message M

DSA Signature Verification

having received M & signature (r,s)
to verify a signature, recipient computes:
- $w = s^{-1} \mod q$
- $u1= (SHA(M) \cdot w) \mod q$
- $u2= (r \cdot w) \mod q$
- $v = (g^{u1} \cdot y^{u2} \mod p) \mod q$
if v=r then signature is verified

DSS Overview

Signing:
- $r = f_2(k, p, q, g) = (g^k \mod p) \mod q$
- $s = f_1(H(M), k, x,r,q) = (k^{-1} (H(M) + xr)) \mod q$
Verifying:
- $w=f_3(s', q)=(s')^{-1} \mod q$
- $v=f_4(y, q, g, H(M'), w, r') = ((g^{(H(M')w)} \mod q y^{r'w} \mod q) \mod p) \mod q$

Summary

Message authentication code
Hash functions
- General approach & security
- Some hash algorithms
Digital signature
- Direct digital signature
- Digital signature standard & algorithm